Security issue with the site
Evening everyone
It has come to our attention that there was some malicious activity on the site last night. I assume it is obvious that the code that runs this site
is pretty old now and whilst we have done a lot of work over the last 20 years (yes, the site really is 20 years old!) there are still issues lurking
in the background that we have not spotted..
It is somewhat difficult to piece together exactly what has gone on but our best guess is that someone was able to inject SQL code to obtain
hashed (aka obscured) versions of users passwords and from there build an authentic cookie allowing them to change user's profiles. It does not
appear at this stage that anything particularly sensitive was changed, simply some mischief was caused. My long suffering friend Luke has done his
best to reverse engineer the method they used and believes he has now fixed the issue.
Although the information that leaked was obscured the method the sites uses to do this is 20+ years old and as such isn't particularly secure
with today's decryption methods. It is therefore potentially possible that the attacker would be able to reverse engineer your password..
Therefore, if you use the same password on other sites with the same email address and/or username we recommend that you change those passwords
urgently.. I'm sure we have all heard the advice before to use a different password on every site but I am also sure not everyone follows
that advice. If you are at all in doubt, for your own sake, please err on the side of caution.
Luke has very kindly offered to re-write the entire authentication system the site uses over the next few days to ensure that this cannot happen
again. I will certainly be buying him a beer for his efforts; if you would like to contribute to that fund the button is at the top of the page.
Thanks for your understanding and support.
Chris
My gaff my rules
|